https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203390#M10134 <P>Im slightly confused, so just want to make sure Im getting this...are you saying src is natted and that part is fine, but also dst shows nat, but should NOT be?</P> <P>Best,</P> <P>Andy</P> Wed, 17 Jan 2024 17:44:41 GMT the_rock 2024-01-17T17:44:41Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203383#M10133 <P>Hello team ;-),</P><P>&nbsp;</P><P>Writing today because I have an issue related to Updtabale object in Quantum Sparck appliance.</P><P>Model is 1550</P><P>Running R81 (996000575)</P><P>Remotely manage by MDM R81.10.</P><P>I could reduce policy in 2 Sections:</P><P>1. Allowing access to/from the global entreprise network without NAT or anything (appliance is connected behind SDWAN devices). (let's say 192.168.1.0/24 to/from 192.168.2.0/24)</P><P>2. Allowing access to UO: Zscaler Services and for sure NAT with external ip.</P><P>I had some complaints from some users that sometimes servers raise a "disconnected" status.</P><P>Looking at the logs in the Dashboard, What I see is unbelievable (not the real ip in the post...):</P><P>Src: 192.168.1.2 (this is an internal host)</P><P>Dst: 192.168.2.2 (this is an ip remotely connected with SDWAN) AND the UO:"Zscaler Services".</P><P>And so the src is natted and for sure connection is not possible. Dst should be only 192.168.2.2 and NO NAT.</P><P>I have checked the .C file for Zscaler and for sure 192.198.2.2 is not in it.</P><P>&nbsp;</P><P>Any clue ?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P> Wed, 17 Jan 2024 16:42:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203383#M10133 BikeMan 2024-01-17T16:42:51Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203390#M10134 <P>Im slightly confused, so just want to make sure Im getting this...are you saying src is natted and that part is fine, but also dst shows nat, but should NOT be?</P> <P>Best,</P> <P>Andy</P> Wed, 17 Jan 2024 17:44:41 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203390#M10134 the_rock 2024-01-17T17:44:41Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203449#M10135 <P>I should reach 192.168.2.2 from 192.168.1.2. Policy is allowing this traffic. From / to these network no nat is required. It is part of the global entreprise network.</P><P>Sometimes, when I reach 192.168.2.2, in the Dst section of the logs I have: "192.168.2.2" AND "Zscaler services". As if 192.168.2.2 was part of "Zscaler Services" object while it is not. Traffic is using external interface and is NATted while it should use another routing interface without NAT.</P><P>&nbsp;</P><P>Rgds,</P><P>&nbsp;</P> Thu, 18 Jan 2024 08:23:19 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203449#M10135 BikeMan 2024-01-18T08:23:19Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203477#M10137 <P>I see what you mean, now I got it. Can you verify route is correct?</P> Thu, 18 Jan 2024 12:46:19 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203477#M10137 the_rock 2024-01-18T12:46:19Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203847#M10158 <P>Routing is fine. Sometimes it is working, sometimes not.</P> Mon, 22 Jan 2024 14:41:07 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203847#M10158 BikeMan 2024-01-22T14:41:07Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203848#M10159 <P>Sounds like you may need remote with TAC to check this further, hard to say for sure why thats happenind, sorry.</P> <P>Andy</P> Mon, 22 Jan 2024 14:43:46 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Updatable-Objects/m-p/203848#M10159 the_rock 2024-01-22T14:43:46Z